From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.6 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8CA4C10F14 for ; Tue, 23 Apr 2019 12:45:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id AD484206A3 for ; Tue, 23 Apr 2019 12:45:06 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="qJn9kQES" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727714AbfDWMpF (ORCPT ); Tue, 23 Apr 2019 08:45:05 -0400 Received: from mail-pl1-f196.google.com ([209.85.214.196]:40139 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727228AbfDWMpF (ORCPT ); Tue, 23 Apr 2019 08:45:05 -0400 Received: by mail-pl1-f196.google.com with SMTP id b3so7483494plr.7 for ; Tue, 23 Apr 2019 05:45:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=drP+3jXgBFG4XDNGP4blkFr7mTMqlSYTTt2HSdhDEPg=; b=qJn9kQES2XCFX4FUrxy3jQm2W9Y0FNjYQBCq7a6EGeb/Hx/VQK3MBTpYlnV8eeUKNN r7b0XhkXFd9D/gZVVxjHHdrkW6V0PURsHbFw8lZuG2O6G+RhUjfXLJZW/PjEwt3UQZ4w A5Cbc8RjaD65sgstQ8UR+ZHW28iK/3bz+7aoOV3VszQCxTQnbOjs6+FUvmlZtlDXc++q OhXF3w+84oUGwYbgwGH9+0uyCS9OHdt+iNom2Bd1Gsbhwnpnh/IM9SxYPOkrwgGJL1Ho ahhd2ewaqe/GfkSxkPb7kPFWYPV71xGcUHAXhxkn+LLo4UpSlDoQYTmcCAAuAuJuaEul HEqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=drP+3jXgBFG4XDNGP4blkFr7mTMqlSYTTt2HSdhDEPg=; b=uYwmurH4OA2e0g+E2zosWlLWwXu+SSb5AF+FuBn8ZSqarg8boWnVY/eAVGf5vYb06n TmJutTrQJO3KLwOyj8jgP3Rs7RtzqRK62MvBW/K6f0L9nwYuFY6ar7A8Te9193hWY+PU PDVQMnXgf6qkGyNVt0yoiRux6pL8JuwVvDrFme3tYS2uqDnbUVC3/Y9mt9sBymS81/3E zXkDnkkD8OqfK0mJvGkpmess2qKbIe7O4VbkevdJ5CkaNf5VNa3nXMlnCgvBaoUIAEyq G06OFLMFVFCOFwcM6E8Ffh+pJcMudQL730+V/Lj6Bjw5KhQsckV/eyp6J+y6WwLELvSB JYQw== X-Gm-Message-State: APjAAAVxAN3+MV9MVLMBUiHHZ8OxIb9xR2obhk3621E9CGjhVEybRYja ewyz6ZyKKr1hvlCY8Es/A+XqnbRdAYmmbfAC0tJTxg== X-Google-Smtp-Source: APXvYqx9oxELimY+nvTrKzm48cKNo0fU0EpzqXPj+2RFN3QgJC+DOA3m4ff4sLeo7pzx3SJj88q57khNfIcQFwECWts= X-Received: by 2002:a17:902:2b89:: with SMTP id l9mr24732595plb.329.1556023503064; Tue, 23 Apr 2019 05:45:03 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Andrey Konovalov Date: Tue, 23 Apr 2019 14:44:51 +0200 Message-ID: Subject: Re: UDC hardware for fuzzing [was: Re: INFO: task hung in usb_kill_urb] To: Alan Stern Cc: Felipe Balbi , Greg Kroah-Hartman , "Gustavo A. R. Silva" , LKML , syzkaller-bugs , USB list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 19, 2019 at 8:36 PM Alan Stern wrote: > > On Wed, 17 Apr 2019, Andrey Konovalov wrote: > > > On Tue, Apr 16, 2019 at 8:25 PM Alan Stern wrote: > > > > > > On Tue, 16 Apr 2019, syzbot wrote: > > > > > > > Hello, > > > > > > > > syzbot has tested the proposed patch but the reproducer still triggered > > > > crash: > > > > INFO: task hung in usb_kill_urb > > > > > > Okay, I think I found the problem. dummy-hcd doesn't check for > > > unsupported speeds until it is too late. Andrey, what values does your > > > usb-fuzzer gadget driver set for its max_speed field? > > > > It's passed from userspace without any validation :( I'll fix this! > > Thanks for looking into it! > > > > I wonder why other people saw this hang as well, they didn't use the > > dummy hcd module for sure. I guess there are might be other reasons. > > Unquestionably it would be for other reasons. usb_kill_urb() is a > host-side routine, not used by gadget drivers. If it fails, the reason > lies in host controller driver. And if people aren't using dummy-hcd > then they must be using a different host controller driver. > > Is there any chance you could get hold of a USB device controller for > more fuzzing tests? With it, you could test other parts of the USB > stack: the UDC driver for whatever hardware you get, and the host > controller driver for whatever you plug the UDC into. > > I don't know what types of UDC are readily available for the type of > computer syzkaller uses. Perhaps Felipe or other people on the mailing > list will have some suggestions. You mean using a hardware UDC and plugging it into a USB host via a physical USB cable? Yeah, I've tried that. I've used the UDC that's available on Raspberry Pi Zero which uses the dwc2 driver for running the reproducers syzkaller generates while having it connected to a Linux host. It works! =) I also have a USB3380 based UDC that uses the net2280 gadget driver. It kind of works, I was able to emulate a SuperSpeed device with it, but the driver crashes all the time. I haven't tried actual fuzzing of a physical host yet, that is something on my TODO list. I was more interested in fuzzing non-Linux hosts this way, but I can try it with Linux as well. The problem here is that it's difficult to automate this. From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: INFO: task hung in usb_kill_urb From: Andrey Konovalov Message-Id: Date: Tue, 23 Apr 2019 14:44:51 +0200 To: Alan Stern Cc: Felipe Balbi , Greg Kroah-Hartman , "Gustavo A. R. Silva" , LKML , syzkaller-bugs , USB list List-ID: T24gRnJpLCBBcHIgMTksIDIwMTkgYXQgODozNiBQTSBBbGFuIFN0ZXJuIDxzdGVybkByb3dsYW5k LmhhcnZhcmQuZWR1PiB3cm90ZToKPgo+IE9uIFdlZCwgMTcgQXByIDIwMTksIEFuZHJleSBLb25v dmFsb3Ygd3JvdGU6Cj4KPiA+IE9uIFR1ZSwgQXByIDE2LCAyMDE5IGF0IDg6MjUgUE0gQWxhbiBT dGVybiA8c3Rlcm5Acm93bGFuZC5oYXJ2YXJkLmVkdT4gd3JvdGU6Cj4gPiA+Cj4gPiA+IE9uIFR1 ZSwgMTYgQXByIDIwMTksIHN5emJvdCB3cm90ZToKPiA+ID4KPiA+ID4gPiBIZWxsbywKPiA+ID4g Pgo+ID4gPiA+IHN5emJvdCBoYXMgdGVzdGVkIHRoZSBwcm9wb3NlZCBwYXRjaCBidXQgdGhlIHJl cHJvZHVjZXIgc3RpbGwgdHJpZ2dlcmVkCj4gPiA+ID4gY3Jhc2g6Cj4gPiA+ID4gSU5GTzogdGFz ayBodW5nIGluIHVzYl9raWxsX3VyYgo+ID4gPgo+ID4gPiBPa2F5LCBJIHRoaW5rIEkgZm91bmQg dGhlIHByb2JsZW0uICBkdW1teS1oY2QgZG9lc24ndCBjaGVjayBmb3IKPiA+ID4gdW5zdXBwb3J0 ZWQgc3BlZWRzIHVudGlsIGl0IGlzIHRvbyBsYXRlLiAgQW5kcmV5LCB3aGF0IHZhbHVlcyBkb2Vz IHlvdXIKPiA+ID4gdXNiLWZ1enplciBnYWRnZXQgZHJpdmVyIHNldCBmb3IgaXRzIG1heF9zcGVl ZCBmaWVsZD8KPiA+Cj4gPiBJdCdzIHBhc3NlZCBmcm9tIHVzZXJzcGFjZSB3aXRob3V0IGFueSB2 YWxpZGF0aW9uIDooIEknbGwgZml4IHRoaXMhCj4gPiBUaGFua3MgZm9yIGxvb2tpbmcgaW50byBp dCEKPiA+Cj4gPiBJIHdvbmRlciB3aHkgb3RoZXIgcGVvcGxlIHNhdyB0aGlzIGhhbmcgYXMgd2Vs bCwgdGhleSBkaWRuJ3QgdXNlIHRoZQo+ID4gZHVtbXkgaGNkIG1vZHVsZSBmb3Igc3VyZS4gSSBn dWVzcyB0aGVyZSBhcmUgbWlnaHQgYmUgb3RoZXIgcmVhc29ucy4KPgo+IFVucXVlc3Rpb25hYmx5 IGl0IHdvdWxkIGJlIGZvciBvdGhlciByZWFzb25zLiAgdXNiX2tpbGxfdXJiKCkgaXMgYQo+IGhv c3Qtc2lkZSByb3V0aW5lLCBub3QgdXNlZCBieSBnYWRnZXQgZHJpdmVycy4gIElmIGl0IGZhaWxz LCB0aGUgcmVhc29uCj4gbGllcyBpbiBob3N0IGNvbnRyb2xsZXIgZHJpdmVyLiAgQW5kIGlmIHBl b3BsZSBhcmVuJ3QgdXNpbmcgZHVtbXktaGNkCj4gdGhlbiB0aGV5IG11c3QgYmUgdXNpbmcgYSBk aWZmZXJlbnQgaG9zdCBjb250cm9sbGVyIGRyaXZlci4KPgo+IElzIHRoZXJlIGFueSBjaGFuY2Ug eW91IGNvdWxkIGdldCBob2xkIG9mIGEgVVNCIGRldmljZSBjb250cm9sbGVyIGZvcgo+IG1vcmUg ZnV6emluZyB0ZXN0cz8gIFdpdGggaXQsIHlvdSBjb3VsZCB0ZXN0IG90aGVyIHBhcnRzIG9mIHRo ZSBVU0IKPiBzdGFjazogdGhlIFVEQyBkcml2ZXIgZm9yIHdoYXRldmVyIGhhcmR3YXJlIHlvdSBn ZXQsIGFuZCB0aGUgaG9zdAo+IGNvbnRyb2xsZXIgZHJpdmVyIGZvciB3aGF0ZXZlciB5b3UgcGx1 ZyB0aGUgVURDIGludG8uCj4KPiBJIGRvbid0IGtub3cgd2hhdCB0eXBlcyBvZiBVREMgYXJlIHJl YWRpbHkgYXZhaWxhYmxlIGZvciB0aGUgdHlwZSBvZgo+IGNvbXB1dGVyIHN5emthbGxlciB1c2Vz LiAgUGVyaGFwcyBGZWxpcGUgb3Igb3RoZXIgcGVvcGxlIG9uIHRoZSBtYWlsaW5nCj4gbGlzdCB3 aWxsIGhhdmUgc29tZSBzdWdnZXN0aW9ucy4KCllvdSBtZWFuIHVzaW5nIGEgaGFyZHdhcmUgVURD IGFuZCBwbHVnZ2luZyBpdCBpbnRvIGEgVVNCIGhvc3QgdmlhIGEKcGh5c2ljYWwgVVNCIGNhYmxl PyBZZWFoLCBJJ3ZlIHRyaWVkIHRoYXQuIEkndmUgdXNlZCB0aGUgVURDIHRoYXQncwphdmFpbGFi bGUgb24gUmFzcGJlcnJ5IFBpIFplcm8gd2hpY2ggdXNlcyB0aGUgZHdjMiBkcml2ZXIgZm9yIHJ1 bm5pbmcKdGhlIHJlcHJvZHVjZXJzIHN5emthbGxlciBnZW5lcmF0ZXMgd2hpbGUgaGF2aW5nIGl0 IGNvbm5lY3RlZCB0byBhCkxpbnV4IGhvc3QuIEl0IHdvcmtzISA9KSBJIGFsc28gaGF2ZSBhIFVT QjMzODAgYmFzZWQgVURDIHRoYXQgdXNlcyB0aGUKbmV0MjI4MCBnYWRnZXQgZHJpdmVyLiBJdCBr aW5kIG9mIHdvcmtzLCBJIHdhcyBhYmxlIHRvIGVtdWxhdGUgYQpTdXBlclNwZWVkIGRldmljZSB3 aXRoIGl0LCBidXQgdGhlIGRyaXZlciBjcmFzaGVzIGFsbCB0aGUgdGltZS4KCkkgaGF2ZW4ndCB0 cmllZCBhY3R1YWwgZnV6emluZyBvZiBhIHBoeXNpY2FsIGhvc3QgeWV0LCB0aGF0IGlzCnNvbWV0 aGluZyBvbiBteSBUT0RPIGxpc3QuIEkgd2FzIG1vcmUgaW50ZXJlc3RlZCBpbiBmdXp6aW5nIG5v bi1MaW51eApob3N0cyB0aGlzIHdheSwgYnV0IEkgY2FuIHRyeSBpdCB3aXRoIExpbnV4IGFzIHdl bGwuIFRoZSBwcm9ibGVtIGhlcmUKaXMgdGhhdCBpdCdzIGRpZmZpY3VsdCB0byBhdXRvbWF0ZSB0 aGlzLgo=